cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO works on SAPGUI, but not on WebGUI

Go to solution
former_member231903
Participant

on ‎03-14-2016 2:57 AM

0 Kudos

Hi experts,

I'm using X.509 certificate, I have two Servers, both available on SAPGUI and WebGUI.

But I'm facing some problems.

I can logon using SSO in Server A, both SAPGUI and WebGUI.

I can logon using SSO in Server B, only SAPGUI, but WebGUI still prompts logon page asking for ID and Password.

It seems that my Secure Login Client works well, and the configurations on Server A and B works because I can SSO in SAPGUI.

So what might be the problem that causes my failed to logon to Server B in WebGUI?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

donka_dimitrova
Contributor
‎03-14-2016 1:38 PM
0 Kudos

Hello Blangero,

Please, make sure that you have correct user mappings for the second server. See the details here:

Rule-Based Certificate Mapping - Using X.509 Client Certificates on the AS ABAP - SAP Library 

Mapping X.509 Certificates in Table USREXTID - Using X.509 Client Certificates on the AS ABAP - SAP ...

Regards,

Donka Dimitrova


Show replies
Show replies
former_member231903
Participant
‎03-15-2016 9:43 AM
0 Kudos

Hi Donka,

Thanks for your reply, I checked the mapping mentioned by you but seems no error on that.

According to SAP help document, I should do the followings to make SSO work for SAP GUI for HTML using X.509 certificates:

  1. Set the AS ABAP profile parameter icm/HTTPS/verify_client to the value 1 (accept certificates) or 2 (require certificates) to support the use of client certificates.

If you are configuring X.509 certificate logon for Web services, you do not have to set this parameter.

  2.  Restart the ICManager (using transaction SMICM).

  3.  Maintain the server’s SSL server PSE.

Use the trust manager (transaction STRUST) and import the issuing CA’s root certificate into this PSE’s certificate list.

  4.  Maintain the user mapping in table USREXTID (for example, using the table maintenance transaction SM30, view VUSREXTID).

And in 3., it says Maintain the server’s SSL server PSE, but in Tcode STRUST I didn't find anything called 'SSL server PSE', but I find one called SSL server Standard, is that what 3. mentioned? Because I find that in Server B, SSL server Standard Certificate List do not have the one I see in Server A which is the certificate I have.

former_member231903
Participant
‎03-15-2016 10:07 AM
0 Kudos

Hi Donka,

I read the pages you give, but still didn't find the exactly one with the name SSL server PSE. I;m 99% sure that it is SSL server Standard now, would you please confirm it for me, in order to make it 100%?

donka_dimitrova
Contributor
‎03-15-2016 12:50 PM
0 Kudos

Hello Blangero,

If this is a screenshot from your server B, does your server A also configured with such "CN=*.w....." and Issuer "CN=*.w...". What is the difference bettween the SSL Server Standard for the Server A and the Server B?

Regards,

Donka Dimitrova

former_member231903
Participant
‎03-16-2016 1:57 AM
0 Kudos

If now the name is SSL server Standard, then I know what causes the problem.

In server A, the the certificate for SSO is imported correctly,

In server B, it's not. the certificate exist in System PSE but not in SSL Server Standard.

That's the reason.
And I only to know why, but I think I'm not allowed to change this setting . Getting to know the whys are enough for me.

Thanks Donka for your help!

Answers (2)

Answers (2)

claudio_normani
Explorer
‎02-19-2021 2:25 PM
0 Kudos

Hello

I have exactly this error. SSO with GUI works, not when I start WebGui. Do you remember what the reason was?

Thanks for your answer

Regards

Claudio

Show replies
Show replies
former_member231903
Participant
‎02-22-2021 1:43 AM
0 Kudos

Hi Claudio,

You can find the details in previous replies and comments, and if required you can create a new thread with details of the error you're facing.

Regards,

Blan

Former Member
‎03-15-2016 10:21 AM
0 Kudos

Hallo,

have you compared the SICF services for the WebGUI in both systems?

Regards

Thomas.

Show replies
Show replies
former_member231903
Participant
‎03-16-2016 1:58 AM

Hi Thomas,

I've compared the services and they are the same, I've found out the reason, thanks for your reply!

Regards,

Blangero

Ask a Question